<html class="" lang="en"><head>

  <meta charset="UTF-8">
  <title>IRIS Demonstration</title>

  <meta name="robots" content="noindex">
  <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Barlow:wght@100&amp;display=swap">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
  <link rel="stylesheet" href="/static/assets/css/bootstrap.min.css">
  <link rel="stylesheet" href="/static/assets/css/atlantis.css">
  <link rel="stylesheet" href="/static/assets/css/demo.css">
  <link rel="icon" href="/static/assets/img/logo.ico" type="image/x-icon"/>
  <script defer data-domain="v200.beta.dfir-iris.org" src="https://analytics.dfir-iris.org/js/plausible.js"></script>

</head>
  <body class="landing-demo">
  	<div class="ml-1 row justify-content-center mr-1">
        <div class="col-xl-8">
        <div class="card mt-3">
            <div class="mt-4">
                <div class="col d-flex justify-content-center">
                    <a href="/" class="logo ml-2 text-center">
                        <img src="/static/assets/img/logo-full-blue.png" alt="navbar brand" width="300rem">
                    </a>
                </div>
            </div>
            <div class="row">
                <h4 class="ml-auto mr-auto"><span class="text-danger">shared</span> demonstration instance {{ iris_version }}</h4>
             </div>
             <div class="row">
                 <h5 class="text-muted ml-auto mr-auto"><i>Try out IRIS, find bugs and security vulnerabilities</i></h5><br/>
             </div>

             <div class="row mt-4">
             </div>
            <div class="row mt-4">
            </div>
            <div class="row mt-2 mb-4">
                <div class="col-md-1 col-lg-2"></div>
                <div class="col-md-10 col-lg-8 ml-4">
                    <h3 class=" ml-auto mr-auto">Kindly read the following carefully</h3><br/>
                    <ul>
                        <li><b>Do not upload any illegal or confidential materials</b></li>
                        <li><b>Do not download and open files from other users blindly</b></li>
                        <li><b>Respect a <a class="text-muted" target="_blank" rel="noopener noreferrer" href="https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#responsible-or-coordinated-disclosure">responsible disclosure</a> of 30 days if you find a vulnerability</b></li>
                    </ul>
                    <b>Not sure what IRIS is about? You'll find more info on the <a target="_blank" rel="noopener" href="https://dfir-iris.org">main website</a></b>
                </div>
                <div class="col-md-1 col-lg-2"></div>
            </div>
            <div class="row mt-3">
                <div class="col-md-1 col-lg-2"></div>
                <div class="col-md-10 col-lg-8 ml-4 mr-3">
                    <p class="">Accounts to access the instance are available at the bottom of the page. If they don't work, try checking if there are not trailing spaces when copying. <br/>
                    IRIS is not optimized to be used on phones. We recommend accessing it from a computer.<br/>
                    If you notice anything suspicious or have any question, please <a href="mailto:contact@dfir-iris.org">contact us</a>. <br/>Note that the instance might be reset at any moment.</p>

                    <p><i>By accessing this instance you confirm you read, understand and agree with all the information on this page.</i></p>
                </div>
                <div class="col-md-1 col-lg-2"></div>
            </div>
            <div class="row mt-4 mb-4 mr-2">

                   <a class="btn btn-outline-success ml-auto mr-auto" target="_blank" rel="noopener" href="/login">
                            Access IRIS
                   </a>
            </div>
            <div class="row mt-4 mb-4 mr-2 justify-content-center">
                <div class="ml-mr-auto">
                  <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseSecRules" aria-expanded="false" aria-controls="collapseSecRules">
                    Rules of engagement
                  </button>
                    <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseLiability" aria-expanded="false" aria-controls="collapseLiability">
                    Disclaimer
                  </button>
                  <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapseAccounts" aria-expanded="false" aria-controls="collapseAccounts">
                    Accounts
                  </button>
                </div>
            </div>
            <div class="row mt-4 mb-4 mr-2 justify-content-center">
                <div class="col ml-4">
                    <div class="collapse" id="collapseLiability">
                        <div class="card card-body">
                            <h3 class="mt-2">Disclaimer</h3>
                            DFIR-IRIS is a non-profit organization. It is not responsible for any damage caused by the use of this site and any material contained in it, or from any action or decision taken as a result of using this site.<br/>
                            It is not responsible for the content of any external sites linked to this site.<br/> By using this site, you acknowledge that content posted on this site is public and DFIR-IRIS cannot guarantee the security of any information disclose on it; you make such disclosures at your own risk.

                            <h4 class="mt-2">Privacy</h4><br/>
                            <p>This demonstration instance is shared and we cannot guarantee the privacy of data you might upload on it. We are not responsible for any data loss or data leak. </p>
                            <p>To better understand the use of this instance, DFIR-IRIS uses a privacy-friendly cookie-less analytics. DFIR-IRIS does not collect any personal data. DFIR-IRIS does not use any third-party analytics and uses a self-hosted <a target="_blank" rel="noopener" href="https://plausible.io/">Plausible</a> instance.</p>
                        </div>
                    </div>
                    <div class="collapse" id="collapseSecRules">
                      <div class="card card-body">
                        <h3 class="mt-2">Rules of engagement</h3>
                          <p class=""><b>If you find a vulnerability</b>, <a href="mailto:contact@dfir-iris.org">contact us</a> before going public as it may impact systems already in production.<br/>
                            In other words, please respect a responsible disclosure of 30 days. We will patch and then publish the vulnerability. Depending on the finding a CVE might be requested, and will have your name - except if you don't want to.<br/>
                            You can report anything you find at <a href="mailto:contact@dfir-iris.org">contact@dfir-iris.org</a>.</p>
                        <p class=""><b>The scope of the security tests</b> is limited to the Web Application IRIS hosted on <a class="" target="_blank" rel="noopener" href="{{ demo_domain }}">{{ demo_domain }}</a>.<br/>
                           <span class="text-danger">Subdomains, SSH, scanning of the IP, BF, and other flavors are <b>out of scope.</b></span></p>
                          We are mostly interested in the following:
                        <ul>
                            <li><b>authentication bypass</b>: achieve any action requiring an authentication without being authenticated. <span class="text-danger">Brute-force is not what we are looking for</span></li>
                            <li><b>privilege escalations within the application</b>: from a standard user (<code>user_std_XX</code>) to administrative rights (<code>adm_XX</code>) on IRIS</li>
                            <li><b>privilege escalations on the host server</b>: from a standard user (<code>user_std_XX</code>) to code execution on the server</li>
                            <li><b>data leakage</b>: from a standard user (<code>user_std_XX</code>) read data of non-accessible cases (titled <code>Restricted Case XXX</code>)</li>
                        </ul>
                        <h3>Important Remarks</h3>
                          <ul>
                              <li>If you can, use a local instance of IRIS instead of this one. It only takes a few minutes to <a  target="_blank" rel="noopener" href="https://docs.dfir-iris.org/getting_started/">get it on docker.</a></li>
                              <li>The administrators account can publish stored XSS on the platform via <a  target="_blank" rel="noopener" href="https://docs.dfir-iris.org/operations/custom_attributes/">Custom Attributes</a>. This is an operational requirement and not recognized as a vulnerability.</li>
                              <li><b>Try not to be destructive.</b> If you manage to run code on the host server, do not try to go further.</li>
                          </ul>
                        <h3>Restrictions</h3>
                          To keep this demo instance alive, there are some restrictions put in place.
                          <ul>
                              <li>The <code>administrator</code> account cannot be updated nor deleted.</li>
                              <li>The accounts available on this page cannot be updated nor deleted.</li>
                              <li>File upload in datastore is limited to 200KB per file.</li>
                          </ul>
                        <h3>Resources</h3>
                          <p>You can read more about IRIS on the <a target="_blank" rel="noopener" href="https://docs.dfir-iris.org">official documentation website</a>.<br/>
                          IRIS is an open source app, so you can directly access the code on <a target="_blank" rel="noopener" href="https://github.com">GitHub</a>.</p>
                      </div>
                    </div>
                    <div class="collapse" id="collapseAccounts">
                      <div class="card card-body">
                        <h3 class="mt-2">Accounts</h3>
                          The following accounts are available on the instance. These users cannot be updated or deleted. However, new users and groups can be created.<br/>
                          <b class="text-danger">If the passwords are not working, please double-check spaces were not added while copying.</b>
                          <table class="table table-striped table-hover responsive">
                              <thead>
                                    <tr>
                                        <th>Username</th>
                                        <th>Password</th>
                                        <th>Role</th>
                                    </tr>
                              </thead>
                              <tbody>
                                {% for user in demo_users %}
                                    <tr>
                                        <td>{{ user.username }}</td>
                                        <td><code>{{ user.password }}</code></td>
                                        <td>{{ user.role }}</td>
                                    </tr>
                                {% endfor %}
                              </tbody>
                          </table>
                      </div>
                    </div>
                </div>
            </div>
        </div>
        </div>
    </div>
  </body>
    <script src="/static/assets/js/core/jquery.3.2.1.min.js"></script>
    <script src="/static/assets/js/core/bootstrap.min.js"></script>
</html>